28.1 Wireless LAN

Wireless LANs have become an indispensable aspect of mobile computing.
Today, most laptops have built-in WLAN cards. The 802.11 standard for the
wireless communication of WLAN cards was prepared by the IEEE
organization. Originally, this standard provided for a maximum
transmission rate of 2 Mbit/s. Meanwhile, several supplements have
been added to increase the data rate. These supplements define details
such as the modulation, transmission output, and transmission rates (see
Table 28-1). Additionally, a lot of
companies implement hardware with proprietary or draft features.

Table 28-1 Overview of Various WLAN Standards

Name

Band (GHz)

Maximum Transmission Rate (Mbit/s)

Note

802.11 Legacy

2.4

2

Outdated; virtually no end devices available

802.11a

5

54

Less interference-prone

802.11b

2.4

11

Less common

802.11g

2.4

54

Widespread, backwards-compatible with 11b

802.11n draft

2.4 and/or 5

300

Common

802.11 Legacy cards are not supported by openSUSE®. Most cards
using 802.11a, 802.11b, 802.11g and 802.11n draft are supported. New cards
usually comply with the 802.11n draft standard, but cards using 802.11g
are still available.

28.1.1 Function

In wireless networking, various techniques and configurations are used to
ensure fast, high-quality, and secure connections. Different operating
types suit different setups. It can be difficult to choose the right
authentication method. The available encryption methods have different
advantages and pitfalls.

Basically, wireless networks can be classified as managed networks and
ad-hoc networks. Managed networks have a managing element: the access
point. In this mode (also referred to as infrastructure mode), all
connections of the WLAN stations in the network run over the access
point, which may also serve as a connection to an ethernet. Ad-hoc
networks do not have an access point. The stations communicate directly
with each other, therefore an ad-hoc network is usually faster than a
managed network. However, the transmission range and number of
participating stations are greatly limited in ad-hoc networks. They also
do not support WPA authentication. Therefore, an access point is usually
used. It is even possible to use a WLAN card as an access point. Some
cards support this functionality.

Authentication

Because a wireless network is much easier to intercept and compromise
than a wired network, the various standards include authentication and
encryption methods. In the original version of the IEEE 802.11 standard,
these are described under the term WEP. However, because WEP has proven
to be insecure (see Security), the
WLAN industry (joined under the name Wi-Fi
Alliance) has defined a new extension called WPA, which is
supposed to eliminate the weaknesses of WEP. The later IEEE 802.11i
standard (also referred to as WPA2, because WPA is based on a draft
version 802.11i) includes WPA and some other authentication and
encryption methods.

To make sure that only authorized stations can connect, various
authentication mechanisms are used in managed networks:

Open

An open system is a system that does not require authentication. Any
station can join the network. Nevertheless, WEP encryption (see
Encryption) can be used.

Shared Key (according to IEEE 802.11)

In this procedure, the WEP key is used for the authentication.
However, this procedure is not recommended, because it makes the WEP
key more susceptible to attacks. All an attacker needs to do is to
listen long enough to the communication between the station and the
access point. During the authentication process, both sides exchange
the same information, once in encrypted form and once in unencrypted
form. This makes it possible for the key to be reconstructed with
suitable tools. Because this method makes use of the WEP key for the
authentication and for the encryption, it does not enhance the
security of the network. A station that has the correct WEP key can
authenticate, encrypt, and decrypt. A station that does not have the
key cannot decrypt received packets. Accordingly, it cannot
communicate, regardless of whether it had to authenticate itself.

WPA-PSK (according to IEEE 802.1x)

WPA-PSK (PSK stands for preshared key) works similarly to the Shared
Key procedure. All participating stations as well as the access point
need the same key. The key is 256 bits in length and is usually
entered as a passphrase. This system does not need a complex key
management like WPA-EAP and is more suitable for private use.
Therefore, WPA-PSK is sometimes referred to as WPA
Home.

WPA-EAP (according to IEEE 802.1x)

Actually, WPA-EAP is not an authentication system but a protocol for
transporting authentication information. WPA-EAP is used to protect
wireless networks in enterprises. In private networks, it is scarcely
used. For this reason, WPA-EAP is sometimes referred to as WPA
Enterprise.

WPA-EAP needs a Radius server to authenticate users. EAP offers three
different methods for connecting and authenticating to the server:
TLS (Transport Layer Security), TTLS (Tunneled Transport Layer
Security), and PEAP (Protected Extensible Authentication Protocol).
In a nutshell, these options work as follows:

EAP-TLS

TLS authentication relies on the mutual exchange of certificates
both for server and client. First, the server presents its
certificate to the client where it is evaluated. If the
certificate is considered valid, the client in turn presents its
certificate to the server. While TLS is secure, it requires a
working certification management infrastructure in your network.
This infrastructure is rarely found in private networks.

EAP-TTLS and PEAP

Both TTLS and PEAP are two-stage protocols. In the first stage, a
secure connection is established and in the second one the client
authentication data is exchanged. They require far less
certification management overhead than TLS, if any.

Encryption

There are various encryption methods to ensure that no unauthorized
person can read the data packets that are exchanged in a wireless
network or gain access to the network:

WEP (defined in IEEE 802.11)

This standard makes use of the RC4 encryption algorithm, originally
with a key length of 40 bits, later also with 104 bits.
Often, the length is declared as 64 bits or 128 bits,
depending on whether the 24 bits of the initialization vector
are included. However, this standard has some weaknesses. Attacks
against the keys generated by this system may be successful.
Nevertheless, it is better to use WEP than not encrypt the network at
all.

Some vendors have implemented the non-standard Dynamic
WEP. It works exactly as WEP and shares the same weaknesses,
except the fact that the key is periodically changed by a key
management service.

TKIP (defined in WPA/IEEE 802.11i)

This key management protocol defined in the WPA standard uses the
same encryption algorithm as WEP, but eliminates its weakness.
Because a new key is generated for every data packet, attacks against
these keys are in vain. TKIP is used together with WPA-PSK.

CCMP (defined in IEEE 802.11i)

CCMP describes the key management. Usually, it is used in connection
with WPA-EAP, but it can also be used with WPA-PSK. The encryption
takes place according to AES and is stronger than the RC4 encryption
of the WEP standard.

28.1.2 Configuration with YaST

To configure the wireless network card, select Network Devices > Network Settings in the YaST control center. The Network Settings dialog
where you can configure general network settings opens. Please refer to
Section 19.4, Configuring a Network Connection with YaST for more information about the
general network configuration. All network cards that have been detected
by the system are listed under the Overview tab.

Choose your wireless card from the list and click Edit
to open the Network Card Setup dialog. Configure whether to use a dynamic
or a static IP address under the tab Address. You can
also adjust General and Hardware
settings such as Device Activation or
Firewall Zone and driver settings. In most cases there
is no need to change the preconfigured values.

Click Next to proceed to the wireless network card
specific configuration dialog. If you are using NetworkManager (refer to
Section 19.5, NetworkManager for more information), there is no need
to adjust the wireless device settings, since these will be set by NetworkManager
on demand—proceed with Next and
Yes to finish the configuration. If you are using your
computer only in a specific wireless network, make the basic settings for
WLAN operation here.

Figure 28-1 YaST: Configuring the Wireless Network Card

Operating Mode

A station can be integrated in a WLAN in three different modes. The
suitable mode depends on the network in which to communicate:
Ad-hoc (peer-to-peer network without access point),
Managed (network is managed by an access point), or
Master (your network card should be used as the
access point). To use any of the WPA-PSK or WPA-EAP modes, the
operating mode must be set to Managed.

Network Name (ESSID)

All stations in a wireless network need the same ESSID for
communicating with each other. If nothing is specified, the card may
automatically selects an access point, which may not be the one you
intended to use. Use Scan Network for a list of
available wireless networks.

Authentication Mode

Select a suitable authentication method for your network: No
Encryption, WEP-Open, WEP-Shared
Key, WPA-EAP, or
WPA-PSK. If you select WPA authentication, a
network name (ESSID) must be set.

Key Input Type

WEP and WPA-PSK authentication methods require to input a key. The key
has to be entered as either a Passphrase, as an
ASCII string, or Hexadecimal
string.

WEP Keys

Either enter the default key here or click WEP
Keys to enter the advanced key configuration dialog. Set
the length of the key to 128 bit or 64
bit. The default setting is 128 bit.
In the list area at the bottom of the dialog, up to four different
keys can be specified for your station to use for the encryption.
Press Set as Default to define one of them as
the default key. Unless you change this, YaST uses the first
entered key as the default key. If the standard key is deleted, one
of the other keys must be marked manually as the default key. Click
Edit to modify existing list entries or create
new keys. In this case, a pop-up window prompts you to select an
input type (Passphrase,
ASCII, or Hexadecimal). If
you select Passphrase, enter a word or a
character string from which a key is generated according to the
length previously specified. ASCII requests an
input of 5 characters for a 64-bit key and 13 characters for a
128-bit key. For Hexadecimal, enter 10
characters for a 64-bit key or 26 characters for a 128-bit key in
hexadecimal notation.

WPA-PSK

To enter a key for WPA-PSK, select the input method
Passphrase or Hexadecimal. In
the Passphrase mode, the input must be 8 to 63
characters. In the Hexadecimal mode, enter 64
characters.

Expert Settings

This button opens a dialog for the detailed configuration of your WLAN
connection. Usually there should be no need to change the
preconfigured settings.

Channel

The specification of a channel on which the WLAN station should
work is only needed in Ad-hoc and
Master modes. In Managed
mode, the card automatically searches the available channels for
access points. In Ad-hoc mode, select one of the
offered channels (11 to 14, depending on your country) for the
communication of your station with the other stations. In
Master mode, determine on which channel your
card should offer access point functionality. The default setting
for this option is Auto.

Bit Rate

Depending on the performance of your network, you may want to set a
certain bit rate for the transmission from one point to another. In
the default setting Auto, the system tries to
use the highest possible data transmission rate. Some WLAN cards do
not support the setting of bit rates.

Access Point

In an environment with several access points, one of them can be
preselected by specifying the MAC address.

Use Power Management

When you are on the road, use power saving technologies to maximize
the operating time of your battery.
Using power
management may affect the connection quality and increase the
network latency.

Click next to finish the setup. If you have chosen WPA-EAP
authentication, another configuration step is needed before your station
is ready for deployment in the WLAN. Enter the credentials you have been
given by your network administrator. For TLS, provide
Identity, Client Certificate,
Client Key, and Server Certificate.
TTLS and PEAP require Identity and
Password. Server Certificate and
Anonymous Identity are optional. YaST searches for
any certificate under /etc/cert. Therefore, save the
certificates given to you to this location and restrict access to these
files to 0600 (owner read and write). Click
Details to enter the advanced authentication dialog
for your WPA-EAP setup. Select the authentication method for the second
stage of EAP-TTLS or EAP-PEAP communication. If you selected TTLS in the
previous dialog, choose any, MD5,
GTC, CHAP, PAP,
MSCHAPv1, or MSCHAPv2. If you
selected PEAP, choose any, MD5,
GTC, or MSCHAPv2. PEAP
version can be used to force the use of a certain PEAP
implementation if the automatically-determined setting does not work for
you.

IMPORTANT: Security in Wireless Networks

Be sure to use one of the supported authentication and encryption
methods to protect your network traffic. Unencrypted WLAN connections
allow third parties to intercept all network data. Even a weak
encryption (WEP) is better than none at all. Refer to
Encryption and
Security for information.

kismet (package kismet) is a
network diagnosis tool with which to listen to the WLAN packet traffic.
In this way, you can also detect any intrusion attempts in your network.
More information is available at
http://www.kismetwireless.net/ and in the manual page.

28.1.4 Tips and Tricks for Setting Up a WLAN

These tips can help tweak speed and stability as well as security aspects
of your WLAN.

Stability and Speed

The performance and reliability of a wireless network mainly depend on
whether the participating stations receive a clean signal from the other
stations. Obstructions like walls greatly weaken the signal. The more
the signal strength sinks, the more the transmission slows down. During
operation, check the signal strength with the iwconfig utility on the
command line (Link Quality field) or with NetworkManager or
KNetworkManager. If you have problems with the signal quality, try to set up the
devices somewhere else or adjust the position of the antennas of your
access points. Auxiliary antennas that substantially improve the
reception are available for a number of PCMCIA WLAN cards. The rate
specified by the manufacturer, such as 54 Mbit/s, is a nominal
value that represents the theoretical maximum. In practice, the maximum
data throughput is no more than half this value.

Security

If you want to set up a wireless network, remember that anybody within
the transmission range can easily access it if no security measures are
implemented. Therefore, be sure to activate an encryption method. All
WLAN cards and access points support WEP encryption. Although this is
not entirely safe, it does present an obstacle for a potential attacker.
WEP is usually adequate for private use. WPA-PSK would be even better,
but it is not implemented in older access points or routers with WLAN
functionality. On some devices, WPA can be implemented by means of a
firmware update. Furthermore, although Linux supports WPA on most
hardware components, some drivers do not offer WPA support. If WPA is
not available, WEP is better than no encryption. In enterprises with
advanced security requirements, wireless networks should only be
operated with WPA.

Problems with Prism2 Cards

Several drivers are available for devices with
Prism2 chips. The various cards work more or
less smoothly with the various drivers. With these cards, WPA is only
possible with the hostap driver. If such a card does not work properly
or not at all or you want to use WPA, read
/usr/share/doc/packages/wireless-tools/README.prism2.